UW Platteville Credit Card Handling Policy

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "UW Platteville Credit Card Handling Policy"

Transcription

1 UW Platteville Credit Card Handling Policy Issued: December 2011 Revision History: November 7, 2013; July 11, 2014; November 1, 2014; August 24, 2015 Overview: In order for UW Platteville to accept credit card payments, it is bound by contracts with the corresponding payment card companies. Payment card companies and governmental agencies have collaborated to develop a comprehensive, thorough and rigorous data security standards including: Payment Card Industry Data Security Standards (PCI DSS); Fair and Accurate Credit Transactions Act (FACTA); Payment Application Data Security Standards (PA DSS). In order to continue to accept credit card payments, UW Platteville must prove and maintain compliance with these various standards. An event such as a security breach of credit card data attributable to UW Platteville jeopardizes the institution s ability to continue to conduct transactions, potentially costing the institution a great deal of revenue. The contract also allows fines to be levied by the card companies in order to continue to do business with them should a breach occur. Statement of Procedure: It is the intent of UW Platteville to reduce institutional risk associated with the administration of merchant cards through the establishment and adoption of standard payment systems and clear assignment of responsibility. This procedure s intent is to provide campus departments and recognized student organizations with compliant, reliable and supportable methods for securely and conveniently accepting credit card payments. This reduces risk to individuals who entrust credit card information to UW Platteville and UW Platteville affiliated entities for transactions. Definitions: Merchant: Any department or recognized student organization that accepts credit cards or utilizes third party software credit card processing on behalf of the university. 1

2 Operating Principles: The following operating principles and responsibilities must be used by departments, recognized student organizations and university employees when accepting credit card information in order to process payments for services, purchases, registration, etc. 1. All merchant sites, including hosted sites, must be authorized by the UW Platteville Controller s Office. See Application and Service Level Agreement (SLA). SLAs must be renewed annually. 2. All merchant card services offered by the University must be delivered using software, systems, and procedures that are compliant with applicable standards. 3. UW Platteville will pre authorize e Payment services for use by UW Platteville units. (Click to see Pre Authorized e_payment services) 4. There should be a certain level of uniformity/branding in the look and feel of UW Platteville storefronts as indicated in the campus web policy except where the vendor dictates. This uniformity not only gives institutional identity to UW Platteville but can be used to avoid phishing. 5. Units must coordinate the delivery of goods and services with the timing of charging e Payments to customers as defined in the credit card operating regulations. 6. The unit selling the goods or services must develop processes for handling credit card and bank account information provided by customers on paper in a safe way. Paper documents showing this information must be cross shredded. Documents should be retained only for the period specified in the appropriate record retention schedule. Retention Schedule 7. UW Platteville units must reconcile e Payments with goods and services provided and with funds deposited by the e Payment processor into University bank accounts and into the Shared Financial System ledger. These reconciliations should be performed using the appropriate separation of duties. Credit Card Merchant (Department/Recognized Student Organization) Responsibilities (agreed to in SLA): Requirements associated with this policy apply to departments, recognized student organizations and university employees that accept credit card information. Credit Card Merchant Numbers a) All credit card merchant sites, including hosted sites, must be established through Controller's Office. Departments and recognized student organizations are prohibited from obtaining merchant ID numbers directly from the credit card companies or setting up hosted sites without 2

3 approval from the Controller s Office. Departments and recognized student organizations must notify the Controller s office of software upgrades in a timely manner prior to the upgrade. Personnel and equipment changes related to credit card processing must be communicated within 5 business days of the change. b) Each campus merchant site must identify a current contact person for the Controller s Office. Credit Card Transaction Channels c) Credit card information can only be accepted through a UW Platteville authorized web application, mail, in person or by telephone (secure line, not Voice over Internet Protocol (VOIP) or mobile). d) Credit card information cannot be accepted via and must never be e mailed from the department or recognized student organization. Credit card information must not be photocopied. e) Any processing of credit card transactions must be done on a PCI compliant workstation. f) Without approval from the Controller s Office, departments and recognized student organizations are not permitted to locally or remotely transmit, process, or store credit card information on UW Platteville or personal computer systems, mobile devices, fax machines, the Internet, e mail, e messaging or any removable electronic storage (USB memory stick, hard drive, zip disk, etc.); not even if encrypted. Credit Card Information Storage g) Without approval from the Controller s Office, credit card merchants cannot store credit card information on a local computer or server. h) Under no circumstances should the Card Identification Number (CID) be stored electronically. If collected on paper, the CID must be destroyed securely immediately after processing. The CID number is the three digit security code on the back of the credit card. It is also referred to as the CVC2 and CVV2. i) While waiting to be processed, paper records of the transaction, with credit card information, must be stored in a locked room or file cabinet. Access to the storage area(s) must be limited to authorized personnel only. j) Paper records containing credit card data must be securely destroyed at the earliest possible date while complying with relevant data retention schedules. 3

4 Credit Card Receipts k) Credit card receipts that go to the customer may only show the last four digits of the credit card number. Also, the credit card expiration date should not appear on the receipt. l) Retain the original receipts, which show last four digits of the credit card number, for all transactions and any original, signed documentation in a secure location for a minimum of 12 months as required by the University of Wisconsin System Fiscal and Accounting General Records Schedule. Fees, Reconciliations, Refunds & Disputes m) Departments and recognized student organizations are responsible for all credit card processing fees. Departments and recognized student organizations may choose to charge a convenience fee to cover the actual amount incurred if allowed by credit card brand and method of acceptance. n) Departments and recognized student organizations are responsible for the cost of equipment required to process transactions within the university credit card environment. The cost of credit card compliance will be allocated out to the respective departments and recognized student organizations. Departments and recognized student organizations will return the equipment to the appropriate office (Controller s office for readers, ITS for computer equipment) when such equipment is no longer needed for proper disposal. o) Reconciliation of credit card merchant activity must be performed at least monthly. Reconciliations will be subject to audit. p) There must be adequate separation of duty between any person authorized to issue a refund and the individual reconciling the account. q) Refunds must be credited to the same credit card account from which the original purchase was made. r) Each department and recognized student organization is responsible for following up and resolving disputed transactions, in conjunction with the Controller s Office. s) Each department and recognized student organizations is responsible for ensuring the timely remittance of credit card receipts to UW Platteville by hosted sites. Annual Self Assessment & Network Scan t) Each department and recognized student organization processing merchant cards must complete an annual risk/security questionnaire/self assessment subject to audit. As part of this self assessment, the Merchant must verify that all third party payment application software, service providers and gateways that store, process or transmit cardholder data as part of an 4

5 authorization or settlement are compliant with applicable payment card requirements. This verification can be performed by: Application Software Determining if the applications software is listed on the Validated Payment Applications found on the PCI website with a non expired validation date [https://www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php]; Service Providers/gateways Determining if the service provider/gateway is listed on the Visa Global Registry of Service Providers PCI DSS Validated Entities with a non expired date. [http://usa.visa.com/download/merchants/cisp list of pcidss compliant service providers.pdf] In addition to the annual questionnaire, the merchant must complete a SAQ any time a credit card related system or process changes. Once completed, the questionnaire must be sent to the Controller s Office for tracking and distribution. The Controller s Office will then send the questionnaire to Internal Audit and the UW Platteville Information Security Officer for follow up. u) For all of the third party vendors, the Merchant must request written acknowledgement that the service providers are responsible for the security of cardholder data that the service providers possesses. v) Credit card numbers should not be stored electronically. Departments and recognized student organizations should work with UW Platteville Information Security to ensure that no credit card numbers are stored electronically. w) Departments and recognized student organizations must work to resolve exceptions identified on the annual risk/security questionnaire/self assessment. Departments and recognized student organizations should work with UW Platteville Information Security to address any exceptions pertaining to technology or electronic storage. Consult with Internal Audit as needed. Employees Handling Credit Card Information x) All employees handling cardholder data and their supervisors or others identified by the Controller s Office, should sign a Confidentiality Acknowledgement form. The form should be the campus wide form used by all departments. y) All employees handling cardholder data must receive annual training. The employee must sign the training checklist and route to the supervisor for signature. The supervisors of each area will submit a report to the Controller s office documenting those that have completed the training. z) All employees processing credit cards must use a PCI compliant workstation. 5

6 aa) Employees that are only generating reports related to credit card activity may use a campus computer to generate those reports as long as the full 16 digit credit card number is not displayed. Imprint Machines bb) Imprint machines are not allowed. Exceptions To These Responsibilities cc) While the Controller s Office does not have the authority to override the PCI Requirements, any exceptions you have to these responsibilities should be discussed with the Controller. The Controller s Office will consider exceptions to any of the above stated responsibilities on a case by case basis in consultation with UW Platteville Information Security Officer and Internal Audit. In considering exceptions, the Controller s Office will examine compliance with applicable standards and the existence and reliability of compensating controls. Departments and recognized student organizations are responsible for obtaining approval from the Controller s Office. Consequences of Not Complying dd) If a merchant does not comply with the above responsibilities, it may be determined that the merchant will no longer be allowed to accept credit cards and may result in significant financial penalties to the department or recognized student organization and the campus as a whole. Any additional monetary costs associated with remediation, assessment, forensic analysis or legal fees will be borne by the department, recognized student organization or college/division. The actions of one merchant can jeopardize all the campus merchants ability to accept credit cards. Controller s Office Responsibilities: a) Develop standards for the campus with respect to accepting credit cards. b) Apply for and secure all campus merchant ID numbers. c) Establish and maintain a process for campus departments and recognized student organizations to accept credit cards. d) Approve applications from campus departments and recognized student organizations before credit cards can be accepted. e) Initiate and approve Service Level Agreements with each department and recognized student organizations before credit cards can be accepted. Service Level Agreements will address the appropriate separation of duties within each department or recognized student organization. 6

7 f) Distribute monthly statements from credit card companies to departments and recognized student organizations for reconciliation. g) Ensure credit card processing fees are properly charged in accord with state, UWS and UW Platteville contracts. h) Ensure credit card processing fees are properly charged back to the appropriate department or recognized student organization. i) Initiate annual renewals of all Service Level Agreements between the Controller s Office and the departments and recognized student organizations. j) Provide appropriate training to the campus on merchant card transactions. k) Ensure that each campus department and recognized student organization that accepts credit cards completes the risk/security questionnaire/self assessment required by applicable standards on an annual basis. During this annual process, the Controller will be responsible for verifying that all Merchants provide appropriate compliance documentation of all third party payment application software, service providers and gateways that store, process or transmit cardholder data as part of an authorization or settlement. l) Maintain a central file of all documentation indicating third party vendor and third party payment application software compliance with applicable requirements. m) Provide an application form and approve departments and recognized student organizations to request merchant ID n) Serve as chair of the PCI core team. UW Platteville Information Technology Responsibilities: a) Work with the Controller s Office to develop standards for the campus with respect to accepting credit cards. b) When requested by the Controller s Office, Information Security Officer will approve/deny applications for departments and recognized student organizations that accept credit cards. c) Work to resolve exceptions pertaining to technology or electronic storage noted on the annual risk/security questionnaire/self assessment and quarterly network scans. Consult with Internal Audit as needed. d) Perform monthly internal network scans to ensure UW Platteville is PCI compliant. Coordinate this effort with Internal Audit. e) Maintain inventory of all credit card software and hardware components in consultation with Financial Services through the annual service level agreement process. 7

8 f) Notify Controller s office when departments and recognized student organizations initiate a request for software or hardware changes that relate to credit card processing. g) Notify and update Controller on issue tickets for any credit card processing related tickets. h) Members of the PCI core team. UW System Internal Audit Responsibilities: a) Member of the PCI core team. b) Internal Audit will monitor the overall effort by incorporating credit card risk into the audit plan. c) Serve as a resource for Controller s office. 8

http://www4.uwm.edu/bfs/depts/acct/creditcardacceptance/credit-card-acceptance.cfm

http://www4.uwm.edu/bfs/depts/acct/creditcardacceptance/credit-card-acceptance.cfm Section: Accounting Revised Date: 05/31/2011 Procedure: 2.2.23 Credit Card Acceptance Home Page http://www4.uwm.edu/bfs/depts/acct/creditcardacceptance/credit-card-acceptance.cfm Operating Principles:

More information

Appendix 1 Payment Card Industry Data Security Standards Program

Appendix 1 Payment Card Industry Data Security Standards Program Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect

More information

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College

More information

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College

More information

PCI Policies 2011. Appalachian State University

PCI Policies 2011. Appalachian State University PCI Policies 2011 Appalachian State University Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements

More information

Information Technology

Information Technology Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing

More information

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services Louisiana State University Finance and Administrative Services Operating Procedure FASOP: AS-22 CREDIT CARD MERCHANT POLICY Scope: All campuses served by Louisiana State University (LSU) Office of Accounting

More information

University Policy Accepting and Handling Payment Cards to Conduct University Business

University Policy Accepting and Handling Payment Cards to Conduct University Business BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy

More information

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry

More information

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft

More information

6-8065 Payment Card Industry Compliance

6-8065 Payment Card Industry Compliance 0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card

More information

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration

More information

Credit Card Handling Security Standards

Credit Card Handling Security Standards Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges

More information

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures Page 1 SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures SOURCE: NDSU President NDSU VP for Finance and Administration NDSU VP for Information Technology It is the University s responsibility

More information

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS) CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with

More information

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card

More information

McGill Merchant Manual

McGill Merchant Manual McGill Merchant Manual The McGill Merchant Manual is a complementary document to the Merchant (PCI) Policy and Procedures and serves to aid Merchants in ensuring their operations comply with Payment Card

More information

POLICY SECTION 509: Electronic Financial Transaction Procedures

POLICY SECTION 509: Electronic Financial Transaction Procedures Page 1 POLICY SECTION 509: Electronic Financial Transaction Procedures Source: NDSU President NDSU VP for Finance and Administration NDSU VP for Information Technology A. Purpose / Rationale Many NDSU

More information

POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101 DIVISION: Finance & Administration TITLE: Policy & Procedures for Credit Card Merchants DATE: October 24, 2011 Authorized by: K. Ann Mead, VP for Finance & Administration

More information

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance

More information

Accounting and Administrative Manual Section 100: Accounting and Finance

Accounting and Administrative Manual Section 100: Accounting and Finance No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security

More information

WISCONSIN ACCOUNTING MANUAL Department of Administration State Controller s Office

WISCONSIN ACCOUNTING MANUAL Department of Administration State Controller s Office BACKGROUND State of Wisconsin agencies accepted more than 6 million credit/debit card payments annually through the following payment channels: Point of Sale (State agency location) Point of Sale (Retail-agent

More information

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business DELAWARE COLLEGE OF ART AND DESIGN 600 N MARKET ST WILMINGTON DELAWARE 19801 302.622.8000 INFORMATION SECURITY POLICY including Policy for Credit Card Acceptance to Conduct College Business stuff\policies\security_information_policy_with_credit_card_acceptance.doc

More information

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY Processing Electronic Card Payments Introduction and Policy Aim The Payment Card Industry Data Security Standard (PCI-DSS) is a worldwide information

More information

Viterbo University Credit Card Processing & Data Security Procedures and Policy

Viterbo University Credit Card Processing & Data Security Procedures and Policy The requirements for PCI-DSS compliance are quite numerous and at times extremely complicated due to their interdependent nature and scope. The University has deemed it necessary for those areas currently

More information

E-Market Policy Accepting Online Payment for Conducting University Business

E-Market Policy Accepting Online Payment for Conducting University Business Accepting Online Payment for Conducting University Business Responsible Office: Bursar s Office Contact: bursar@hartford.edu Effective Date: July 1, 2011 Last Revised: June 20, 2011 Last Reviewed: June

More information

TERMINAL CONTROL MEASURES

TERMINAL CONTROL MEASURES UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to cashandmerchant@ucr.edu when requesting a stand-alone dial up terminal. The University

More information

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY. 2014 October

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY. 2014 October CREDIT CARD NUMBER HANDLING PROCEDURES POLICY 2014 October Royal Roads University Page 1 of 6 21 October 2014 Table of Contents Policy Statement... 3 Rationale... 3 Applicability of the Policy... 3 Definitions...

More information

policy D Reaffirmation of existing policy

policy D Reaffirmation of existing policy Name of Policy: Credit Cards Policy Number: 3364-40-24 Approving Officer: President.TOLE'DO l t.?-2 Responsible Agent: Treasurer Scope: All credit card Merchants at The University rg] New policy proposal

More information

Failure to follow the following procedures may subject the state to significant losses, including:

Failure to follow the following procedures may subject the state to significant losses, including: SUBJECT: Policy and Procedures PAGE: 1 of 5 INTRODUCTION During fiscal year 2014, State of Wisconsin agencies accepted approximately 6 million credit/debit card payments through the following payment channels:

More information

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Credit Card Handling and Acceptance Policy Policy Number: C3875 Effective Date: November 8, 2006 Issuing Authority: Office of VP Business and

More information

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013 05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of

More information

Accepting Payment Cards and ecommerce Payments

Accepting Payment Cards and ecommerce Payments Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont

More information

Credit and Debit Card Handling Policy Updated October 1, 2014

Credit and Debit Card Handling Policy Updated October 1, 2014 Credit and Debit Card Handling Policy Updated October 1, 2014 City of Parkville 8880 Clark Ave. Parkville, MO 64152 Hours: 8:00-5:00 p.m. Monday -Friday Phone Number 816-741-7676 Email: cityhall@parkvillemo.gov

More information

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS UNIVERSITY OF NORTH DAKOTA FINANCE & OPERATIONS POLICY LIBRARY ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS Policy 2.3, Accepting Credit Cards and Electronic Checks to Conduct

More information

Merchant Card Processing Best Practices

Merchant Card Processing Best Practices Merchant Card Processing Best Practices Background: The major credit card companies (VISA, MasterCard, Discover, and American Express) have published a uniform set of data security standards that ALL merchants

More information

University Policy Accepting Credit Cards to Conduct University Business

University Policy Accepting Credit Cards to Conduct University Business BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance

More information

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder

More information

Standards for Business Processes, Paper and Electronic Processing

Standards for Business Processes, Paper and Electronic Processing Payment Card Acceptance Information and Procedure Guide (for publication on the Treasury Webpages) A companion guide to University policy 6120, Payment Card Acceptance Standards for Business Processes,

More information

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS) Procedure Credit Card Handling and Security for Departments/Divisions and Elected/Appointed Offices Last Update: January 19, 2016 References: Credit Card Payments Policy Purpose: To comply with the Payment

More information

The University of Georgia Credit/Debit Card Processing Procedures

The University of Georgia Credit/Debit Card Processing Procedures The University of Georgia Credit/Debit Card Processing Procedures The University of Georgia currently accepts four major credit cards (MasterCard, Visa, Discover and American Express) for payment of services

More information

Saint Louis University Merchant Card Processing Policy & Procedures

Saint Louis University Merchant Card Processing Policy & Procedures Saint Louis University Merchant Card Processing Policy & Procedures Overview: Policies and procedures for processing credit card transactions and properly storing credit card data physically and electronically.

More information

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i. Prepared by Treasury Office. This amends A8.710 dated July 2001. A8.710 April 2005 A8.700 TREASURY P 1 of 5 A8.710 Credit Card Program 1. Purpose To provide uniform procedures for the processing of credit

More information

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Publication Date 2009-08-11 Issued by: Financial Services Chief Information Officer Revision V 1.0 POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Overview: There

More information

b. USNH requires that all campus organizations and departments collecting credit card receipts:

b. USNH requires that all campus organizations and departments collecting credit card receipts: USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System

More information

Ball State University Credit/Debit Card Handling Policy and Procedures

Ball State University Credit/Debit Card Handling Policy and Procedures Ball State University Credit/Debit Card Handling Policy and Procedures I. Background Ball State University accepts payments in various forms including cash, checks and electronic fund transfers. University

More information

CREDIT CARD POLICY DRAFT

CREDIT CARD POLICY DRAFT APPROVED BY Ronald J. Paprocki I. Policy Statement Any office of the University that processes credit card transactions may do so only in the manner approved by the University Treasury Office and in compliance

More information

Important Info for Youth Sports Associations

Important Info for Youth Sports Associations Important Info for Youth Sports Associations What the Heck is PCI DSS and Why Should I Care? Joe Posey Terrapin Financial Services Your Club is an ecommerce Business You accept online registration over

More information

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure. Payment Card Industry Security Standards Over the past years, a series of new rules and regulations regarding consumer safety and identify theft have been enacted by both the government and the PCI Security

More information

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES POLICY STATEMENT Introduction Some San Diego State University Research Foundation

More information

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments CAL POLY POMONA FOUNDATION Policy for Accepting Payment (Credit) Card and Ecommerce Payments 1 PURPOSE The purpose of this policy is to establish business processes and procedures for accepting payment

More information

Clark University's PCI Compliance Policy

Clark University's PCI Compliance Policy ï» Clark University's PCI Compliance Policy Who Should Read this Policy: All persons who have access to credit card information, including: Every employee that accesses handles or maintains credit card

More information

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents UNL PAYMENT CARD POLICY AND PROCEDURES Table of Contents Payment Card Merchant Security Standards Policy and Procedures... 2 Introduction... 4 Payment Card Industry Data Security Standard... 4 Definitions...

More information

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS I. Introduction, Background and Purpose This Merchant Account Agreement (the Merchant Agreement or Agreement ) is entered

More information

PCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

PCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS: Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal

More information

Office of Finance and Treasury

Office of Finance and Treasury Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

CREDIT CARD PROCESSING & SECURITY POLICY

CREDIT CARD PROCESSING & SECURITY POLICY FINANCE AND TREASURY POLICIES AND PROCEDURES E071 CREDIT CARD PROCESSING & SECURITY POLICY PURPOSE The purpose of this policy is to establish guidelines for processing charges/credits on Credit Cards to

More information

D. DFA: Mississippi Department of Finance and Administration.

D. DFA: Mississippi Department of Finance and Administration. MISSISSIPPI DEPARTMENT OF FINANCE AND ADMINISTRATION ADMINISTRATIVE RULE PAYMENTS BY CREDIT CARD, CHARGE CARD, DEBIT CARDS OR OTHER FORMS OF ELECTRONIC PAYMENT OF AMOUNTS OWED TO STATE AGENCIES The Department

More information

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume. Credit Card Procedures and Policies Texas A&M Health Science Center offers university departments the convenience of accepting credit cards in payment for goods and services provided. All University departments

More information

COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING

COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING Supersedes: None Date: March 17, 2014 I. PURPOSE To establish business processes and procedures for the processing of credit/debit card payments as

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards PCI DSS Rhonda Chorney Manager, Revenue Capital & General Accounting Today s Agenda 1. What is PCI DSS? 2. Where are we today? 3. Why is compliance so important?

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper

More information

Department PCI Self-Assessment Questionnaire Version 1.1

Department PCI Self-Assessment Questionnaire Version 1.1 Department PCI Self-Assessment Questionnaire Version 1.1 2009 Attestation of Compliance Instructions for Submission This Department PCI Self-Assessment Questionnaire has been developed as an assessment

More information

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524 'McGill Sylvia Franke, LL.B., B.Sc. Albert Caponi, C.A. Chief Information Officer Assistant Vice-Principal (Financial Services) 688 Sherbrooke Street West, Room 730 James Administration Building, Room

More information

CREDIT CARD PROCESSING POLICY AND PROCEDURES

CREDIT CARD PROCESSING POLICY AND PROCEDURES CREDIT CARD PROCESSING POLICY AND PROCEDURES Note: For purposes of this document, debit cards are treated the same as credit cards. Any reference to credit cards includes credit and debit card transactions.

More information

Welcome to the Duke Medicine Credit Card PCI Education session.

Welcome to the Duke Medicine Credit Card PCI Education session. Welcome to the Duke Medicine Credit Card PCI Education session. During this session, we will explain the Duke Medicine Credit Card PCI Policy and Procedure that has been implemented to ensure we are in

More information

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011 CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...

More information

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format. Policy Number: 339 Policy Title: Credit Card Processing Policy, Procedure, & Standards Review Date: 07-23-15 Approval Date: 07-27-15 POLICY: All individuals involved in handling credit and debit card transactions

More information

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration Andrews University Payment Card Acceptance Policies & Procedures Prepared by Financial Administration July 12, 2011 Part I: Introduction of Policy and Purpose Formatted: Font: 12 pt In order to protect

More information

Policies and Procedures. Merchant Card Services Office of Treasury Operations

Policies and Procedures. Merchant Card Services Office of Treasury Operations Policies and Procedures Merchant Card Services Office of Treasury Operations 1 Welcome! Table of Contents: Introduction Establishing Payment Card Services Payment Card Acceptance Procedures Payment Card

More information

Payment Card Acceptance Administrative Policy

Payment Card Acceptance Administrative Policy Administrative Procedure Approved By: Brandon Gilliland, Associate Vice President for Finance & Controller Effective Date: October 1, 2014 History: Approval Date: September 25, 2014 Revisions: Type: Administrative

More information

UCSB Credit Card Processing and PCI Compliance

UCSB Credit Card Processing and PCI Compliance UCSB Credit Card Processing and PCI Compliance Sandra Featherson Associate Director of Controls Campus Credit Card Coordinator May 2011 Agenda Campus Credit Card Process Overview Terminology Approval/Acceptance

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

Credit Card Processing and Security Policy

Credit Card Processing and Security Policy Credit Card Processing and Security Policy Policy Number: Reserved for future use Responsible Official: Vice President of Administration and Finance Responsible Office: Student Account Services Effective

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder

More information

Liverpool Hope University. PCI DSS Policy

Liverpool Hope University. PCI DSS Policy Liverpool Hope University PCI DSS Policy Document Control Date Revision/Amendment Details & Reason Author 26 th March 2015 Updates G. Donelan 23 rd June 2015 Audit Committee 7 th July 2015 University Council

More information

Registry of Service Providers

Registry of Service Providers Registry of Service Providers Program Guide Contents 1 2 1.1 What is the Registry of Service Providers? 2 1.2 Who can register? 3 1.3 Why register with Visa? 3 1.4 Implications for Visa Clients 4 2 5 2.1

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced Version 3.0 February

More information

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to: What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International

More information

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp

More information

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository Internal Credit/Debit Card Processing Policies and Procedures for University of Tennessee Merchants Merchant: DBA Effective: Date Reviewed: Date Revised: Date 1. General Statement 2. Point-of-Sale Processing

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information

PCI Compliance Information Packet for Volunteers - Credit Card Processing for Product Sales and Online Camp / Event Registration

PCI Compliance Information Packet for Volunteers - Credit Card Processing for Product Sales and Online Camp / Event Registration PCI Compliance Information Packet for Volunteers - Credit Card Processing for Product Sales and Online Camp / Event Registration Table of Contents Introduction to Credit Card Processing for Product Sales

More information

Cal Poly PCI DSS Compliance Training and Information. Information Security http://security.calpoly.edu 1

Cal Poly PCI DSS Compliance Training and Information. Information Security http://security.calpoly.edu 1 Cal Poly PCI DSS Compliance Training and Information Information Security http://security.calpoly.edu 1 Training Objectives Understanding PCI DSS What is it? How to comply with requirements Appropriate

More information

Frequently Asked Questions

Frequently Asked Questions PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply

More information

Dartmouth College Merchant Credit Card Policy for Processors

Dartmouth College Merchant Credit Card Policy for Processors Mission Statement Dartmouth College Merchant Credit Card Policy for Processors Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance with the

More information

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0 Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire C-VT Version 2.0 October 2010 Attestation of Compliance, SAQ C-VT Instructions for Submission

More information

Policy for Accepting Payment (Credit) Card and Ecommerce Payments

Policy for Accepting Payment (Credit) Card and Ecommerce Payments Policy for Accepting Payment (Credit) Card and Ecommerce Payments 1 Revision Control Document Title: File Reference: Credit Card Handling Policy and Procedure PCI Policy020212.docx Date By Action Pages

More information

Annual Trustwave PCI Self Assessment Questionnaire (SAQ) Educational Presentation. Understanding the Merchants Responsibilities for PCI Compliance

Annual Trustwave PCI Self Assessment Questionnaire (SAQ) Educational Presentation. Understanding the Merchants Responsibilities for PCI Compliance Annual Trustwave PCI Self Assessment Questionnaire (SAQ) Educational Presentation Understanding the Merchants Responsibilities for PCI Compliance Agenda Discussion on Merchant Responsibilities Discussion

More information

FAQ s for Payment Card Processing at the University

FAQ s for Payment Card Processing at the University FAQ s for Payment Card Processing at the University 1) We are thinking about taking credit cards for payments. What do we need to know? 2) Who is the PCPC (Payment Card Process Coordinator)? 3) What is

More information

A Compliance Overview for the Payment Card Industry (PCI)

A Compliance Overview for the Payment Card Industry (PCI) A Compliance Overview for the Payment Card Industry (PCI) Many organizations are aware of the Payment Card Industry (PCI) and PCI compliance but are unsure if they are doing everything necessary. This

More information

PCI DSS SECURITY AWARENESS

PCI DSS SECURITY AWARENESS PCI DSS SECURITY AWARENESS Annual Education Module James Madison University University Business Office Compliance Specialist TRAINING AUDIENCE The following training module should be completed by all University

More information